Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,101)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-43854 1Nltk 1Nltk Nov 21, 2024 Dec 23, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular exp...Show more NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.Show less
CVE-2021-43843 1Jsx Slack Project 1Jsx Slack Nov 21, 2024 Dec 20, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Den...Show more jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters.Show less
CVE-2021-43838 1Jsx Slack Project 1Jsx Slack Nov 21, 2024 Dec 17, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot...Show more jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `<blockquote>` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters. Users are advised to upgrade as soon as possible.Show less
CVE-2021-39939 1Gitlab 1Gitlab Nov 21, 2024 Dec 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, a...Show more An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on runner managerShow less
CVE-2021-39938 1Gitlab 1Gitlab Nov 21, 2024 Dec 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontro...Show more A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commandsShow less
CVE-2021-44228 12Apache AppleBentley+9 more 1436bk1602 0aa12 0tp0 Firmware 6bk1602 0aa22 0tp0 Firmware6bk1602 0aa32 0tp0 Firmware+140 more Feb 20, 2026 Dec 10, 2021 N/A· v4 10.0 CRITICAL· v3 9.3 HIGH· v2 Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other J...Show more Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.Show less
CVE-2021-41014 1Fortinet 1Fortiweb Nov 21, 2024 Dec 8, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to make the httpsd daemon unresponsive via huge HTTP packets
CVE-2021-37061 1Huawei 1Harmonyos Nov 21, 2024 Dec 7, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 There is a Uncontrolled Resource Consumption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to Screen projection application denial of service.
CVE-2021-44527 1Ui 1Unifi Switch Firmware Nov 21, 2024 Dec 7, 2021 N/A· v4 6.5 MEDIUM· v3 6.1 MEDIUM· v2 A vulnerability found in UniFi Switch firmware Version 5.43.35 and earlier allows a malicious actor who has already gained access to the network to perform a Deny of Service (DoS) attack on the affected switch.This vulne...Show more A vulnerability found in UniFi Switch firmware Version 5.43.35 and earlier allows a malicious actor who has already gained access to the network to perform a Deny of Service (DoS) attack on the affected switch.This vulnerability is fixed in UniFi Switch firmware 5.76.6 and later.Show less
CVE-2021-22956 1Citrix 3Application Delivery Controller Firmware GatewaySd Wan Nov 21, 2024 Dec 7, 2021 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 An uncontrolled resource consumption vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 that could allow an attacker with access to NSIP or SNIP with management interface access to cause a tempora...Show more An uncontrolled resource consumption vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 that could allow an attacker with access to NSIP or SNIP with management interface access to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication.Show less
CVE-2021-22955 1Citrix 2Application Delivery Controller Firmware Gateway Nov 21, 2024 Dec 7, 2021 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 A unauthenticated denial of service vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 when configured as a VPN (Gateway) or AAA virtual server could allow an attacker to cause a temporary disrupt...Show more A unauthenticated denial of service vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 when configured as a VPN (Gateway) or AAA virtual server could allow an attacker to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication.Show less
CVE-2021-44686 2Calibre Ebook Fedoraproject 2Calibre Fedora Nov 4, 2025 Dec 7, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) in html_preprocess_rules in ebooks/conversion/preprocess.py.
CVE-2021-20609 1Mitsubishi 55Melipc Mi5122 Vw Firmware Melsec Iq R R00 Cpu FirmwareMelsec Iq R R01 Cpu Firmware+52 more Nov 21, 2024 Dec 1, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric MELSEC iQ-R Series R00/01/02CPU, MELSEC iQ-R Series R04/08/16/32/120(EN)CPU, MELSEC iQ-R Series R08/16/32/120SFCPU, MELSEC iQ-R Series R08/16/32/120P...Show more Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric MELSEC iQ-R Series R00/01/02CPU, MELSEC iQ-R Series R04/08/16/32/120(EN)CPU, MELSEC iQ-R Series R08/16/32/120SFCPU, MELSEC iQ-R Series R08/16/32/120PCPU, MELSEC iQ-R Series R08/16/32/120PSFCPU, MELSEC iQ-R Series R16/32/64MTCPU, MELSEC iQ-R Series R12CCPU-V, MELSEC Q Series Q03UDECPU, MELSEC Q Series Q04/06/10/13/20/26/50/100UDEHCPU, MELSEC Q Series Q03/04/06/13/26UDVCPU, MELSEC Q Series Q04/06/13/26UDPVCPU, MELSEC Q Series Q12DCCPU-V, MELSEC Q Series Q24DHCCPU-V(G), MELSEC Q Series Q24/26DHCCPU-LS, MELSEC Q Series MR-MQ100, MELSEC Q Series Q172/173DCPU-S1, MELSEC Q Series Q172/173DSCPU, MELSEC Q Series Q170MCPU, MELSEC Q Series Q170MSCPU(-S1), MELSEC L Series L02/06/26CPU(-P), MELSEC L Series L26CPU-(P)BT and MELIPC Series MI5122-VW allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted packets. System reset is required for recovery.Show less
CVE-2021-42120 1Businessdnasolutions 1Topease Nov 21, 2024 Nov 30, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on all object attributes allows an authenticated remote attacker with Object Modification p...Show more Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on all object attributes allows an authenticated remote attacker with Object Modification privileges to insert arbitrarily long strings, eventually leading to exhaustion of the underlying resource.Show less
CVE-2021-36310 1Dell 1Networking Os10 Nov 21, 2024 Nov 20, 2021 N/A· v4 4.9 MEDIUM· v3 6.8 MEDIUM· v2 Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x & 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading...Show more Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x & 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service.Show less
CVE-2021-22965 2Ivanti Pulsesecure 2Connect Secure Pulse Connect Secure Nov 21, 2024 Nov 19, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device.
CVE-2021-33073 1Intel 1Distribution Of Openvino Toolkit Nov 21, 2024 Nov 17, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Uncontrolled resource consumption in the Intel(R) Distribution of OpenVINOâ„¢ Toolkit before version 2021.4 may allow an unauthenticated user to potentially enable denial of service via local access.
CVE-2021-0182 1Intel 1Hardware Accelerated Execution Manager Nov 21, 2024 Nov 17, 2021 N/A· v4 6.2 MEDIUM· v3 2.1 LOW· v2 Uncontrolled resource consumption in the Intel(R) HAXM software before version 7.6.6 may allow an unauthenticated user to potentially enable information disclosure via local access.
CVE-2021-0180 1Intel 1Hardware Accelerated Execution Manager Nov 21, 2024 Nov 17, 2021 N/A· v4 8.4 HIGH· v3 4.6 MEDIUM· v2 Uncontrolled resource consumption in the Intel(R) HAXM software before version 7.6.6 may allow an unauthenticated user to potentially enable privilege escalation via local access.
CVE-2021-41229 2Bluez Debian 2Bluez Debian Linux Nov 4, 2025 Nov 12, 2021 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be fre...Show more BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.Show less

Previous 1...101102103...156 Next